Legislative consultation An Coimisiún um 


Chosaint Sonrai 
process with the Data Data Protection 
Protection Commission 





Under the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 
2018, (‘the Act’) the Government is required to consult with the Data Protection 
Commission (‘DPC’) during the preparation of a legislative measure that relates to 
processing. This guidance document sets out the legislative consultation process. It also 
includes, at Annex A, a consultation form that should be completed and submitted with 
the proposed legislative measure. 


Scope of the consultation requirement under the GDPR and the 
Data Protection Act 2018 


Article 36(4) GDPR sets down the requirement that “Member States shall consult the 
supervisory authority during the preparation of a proposal for a legislative measure to be 
adopted by a national parliament, or of a regulatory measure based on such a legislative 
measure, which relates to processing.” 


The Act gives further effect to the GDPR and also transposes the Law Enforcement 
Directive (‘LED’). Section 84(12) of the Act, which relates to the LED, also provides that a 
Minister is required to consult with the DPC during the preparation of any legislative 
measure that relates to the processing of personal data. 


This means that State bodies developing legislative proposals have a statutory 
obligation to consult with the DPC when the legislation in question foresees or requires 
the processing of personal data under the GDPR or the LED. This includes both primary 
legislation (Bills) as well as secondary legislation, including statutory instruments (SIs) 
and regulations as well as legislation implementing a European measure. 


What is meant by processing personal data 


Personal data essentially means any information about a living person, where that 
person either is identified or could be identified through direct or indirect means. 
Personal data can include types of information such as names, dates of birth, 
identification numbers, email address, phone numbers, addresses, physical 
characteristics or location data - once it is clear to whom that information relates, or it 
is possible to find out.' Processing essentially means using personal data in any way, 
including collecting, storing, retrieving, consulting, disclosing or sharing with someone 





1 See Article 4(1) GDPR for the full definition of ‘personal data’. 
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else, erasing, or destroying personal data.’ It includes processing by automatic or non- 
automatic (manual) means. 


Types of processing that requires consultation with the DPC 


Any legislative proposal that affects the processing of personal data will require 
consultation with the DPC. Examples of processing activities include: 


M Mandating the collection of personal data, 
M Requiring the transfer of personal data between State Agencies, 
M Restricting data subjects’ rights. 


The Act also sets down specific instances where the Minister for Justice is required to 
consult with the DPC before making regulations. These include: 


M Regulations giving full effect to Chapter IV (Mutual Assistance) of the 
Council of Europe’s 1981 Data Protection Convention: Section 12 of Act, 


M Regulations on the designation of a data protection officer: Section 34(1) of 
the Act, 


M Regulations limiting personal data transfers outside the EU: section 37(1) of 
the Act, 


M Regulations on the Common Travel Area: Section 38(3) of the Act. 


The Act also requires the Minister for Justice or any other Minister to consult with the 
DPC before making the following regulations: 


M Regulations on the processing of personal data necessary for the 
performance of a task carried out in the public interest or for the exercise 
of official authority: Section 38(5) of the Act requires a Minister to consult with 
the DPC before making regulations with respect to the processing of personal 
data that is necessary and proportionate for the performance of a task carried 
out in the public interest by a controller or for the exercise of official authority 
vested in a controller. 


M Regulations on special category data and personal data relating to criminal 
convictions and offences: Section 51(6) of the Act requires a Minister to consult 
with the DPC before making regulations that authorise the processing of special 
category data and/or personal data relating to criminal convictions and offences 
for reasons of substantial public interest. 


M Regulations on personal data relating to criminal convictions and offences: 
Section 55(5) of the Act requires that a Minister consult with the DPC before 
making regulations on personal data relating to criminal convictions and 
offences, where the processing is necessary and proportionate to: 





2 See Article 4(1)(2) GDPR for the full definition of ‘processing’. 
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(a) assess the risk of fraud or prevent fraud, or 


(b) assess the risk of bribery or corruption or both or to prevent bribery or 
corruption or both, or 


(c) ensure network and information systems security, and prevent attacks on 
and damage to computer and electronic communications systems. 


M Regulations restricting the rights of data subjects: Section 60(10) of the Act 
requires that a Minister consult with the DPC before making regulations 
considered necessary for the protection of a data subject or the rights and 
freedoms of others restricting the rights and obligations set down in Articles 5, 
12 to 22, or 34 of the GDPR. Such regulations can apply in the following 
instances: 


(a) if the application of those rights and obligations would likely cause 
serious harm to the physical or mental health of the data subject, and 


to the extent to which, and for as long as, such application would be likely 
to cause such serious harm, and 


(b) in relation to personal data kept for, or obtained in the course of, the 
carrying out of social work by a public authority, public body, a voluntary 
organisation or other body. 


(c) where such restrictions are necessary for the purposes of safeguarding 
important objectives of general public interest. 


M Regulations on suitable and specific measures for processing: Section 36(6) 
of the Act requires that a Minister consult with the DPC before making 
regulations: 


(a) where there is a requirement to take suitable and specific measures to 
safeguard the fundamental rights and freedoms of data subjects in the 
processing of their personal data, and the regulation identifies additional 
suitable and specific measures other than the ones set out in section 
36(1), 


(b) to make it mandatory to adopt those specific suitable and specific 
measure(s). 


M Regulations on the processing of special categories of personal data under 
the Law Enforcement Directive: Section 73(2) of the Act requires that a 
Minister consult with the DPC before making regulations permitting the 
processing of special categories of personal data where the processing is 
necessary for reasons of substantial public interest. 


M Regulations on the restrictions of data subject rights under the Law 
Enforcement Directive: Section 94(9) of the Act requires that a Minister consult 
with the DPC before making regulations restricting certain data subject rights. 
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Data Protection Impact Assessments 


During the preparation of a legislative measure, a Data Protection Impact Assessment 
(‘DPIA’) may be required, or may be helpful to identify risks to the rights and freedoms 
individuals. In light of Article 35(10) GDPR, it is also recommended that a DPIA is carried 
out during the legislative drafting process as a means not only to help ensure the 
legislative measure meets data protection requirements, but also to identify and 
mitigate risks with respect to its inconsistent application by data controllers subject to 
the legislation. Controllers are required to undertake a DPIA for any processing or 
intended processing that is ‘likely to result in a high risk to individuals’. 


Controllers are also required pursuant to Article 36(1) GDPR and section 84(1) of the Act 
(which relates to LED) to consult with the DPC prior to processing where a DPIA 
indicates that the processing would result in a high risk to the rights of freedoms of 
individuals in the absence of measures taken by the controller to mitigate the risk. For 
more information on DPIAs, see the DPC’s Guide to Data Protection Impact 





Assessments. 


Consultation requirements with the DPC 


In order to effectively meet the requirements of Article 36(4) GDPR and section 84(12) of 
the Act, the DPC should be consulted on legislation during the development phase.” 
This will allow the DPC to properly assess the proposed legislative measure and 
facilitate consideration of any comments the DPC may have prior to its finalisation. It is 
important that sufficient time is given to the DPC to consider any legislative proposal. 
State bodies should also consult their own Data Protection Officers on the legislative 
proposal prior to it being submitted to the DPC. 


Recital 96 GDPR states that the legislative consultation should take place with the 
supervisory authority, “in order to ensure compliance of the intended processing with this 
Regulation and in particular to mitigate the risk involved for the data subject”. The DPC 
considers that the consultation requirement is an on-going one, and that State bodies 





Recital 93 GDPR states “/n the context of the adoption of the Member State law on which the 
performance of the tasks of the public authority or public body is based and which regulates the 
specific processing operation or set of operations in question, Member States may deem it necessary 
to carry out such assessment prior to the processing activities.” 

Article 35(1) GDPR. 

While it is not possible to point to a precise moment in time as to when the DPC should be 
consulted, a good rule of thumb is to consult the DPC when there is a well-developed Heads of 
Bill for primary legislation and when there is a preliminary draft of a Statutory Instrument for 
secondary legislation. 
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should keep the DPC informed, particularly when there are significant policy changes to 
the processing provisions after the initial consultation with the DPC. 


Prior to the submission of a legislative measure to the DPC, State bodies should assess 
the measure in light of the requirements of data protection law. As part of this 
assessment it is important to note that the right to data protection, which is enshrined 
in Article 8 of the EU Charter of fundamental Rights (‘the Charter’), is not absolute, but 
any limitation on the right must comply with the requirements laid down in Article 52(1) 
of the Charter.® This provides that any limitation must be provided for by law, respect 
the essence of the right, meet objectives of general interest recognised by the Union or 
the need to protect the rights and freedoms of others and that the limitation is 
necessary and proportionate. When examining a legislative measure, the DPC will pay 
particular attention to the necessity and proportionality of a measure when providing 
its assessment as to whether the proposed measure complies with data protection law.’ 





6 Article 51(1) of the Charter provides that the Charter applies to the institutions and bodies of the 
Union and to Member States only when they are ‘implementing EU law’. The CJEU has equated 
“implementing EU law” to “falling within the scope of EU law”. CJEU, Case C-617/10, Åklagaren v 
Hans Akerberg Fransson, 26 February 2013 and CJEU, case C-300/11 (Grand Chamber), ZZ v. 
Secretary of State for the Home Department, 4 June 2013, para 51. 

7 For more information see the European Data Protection Supervisors toolkits “Assessing the 
necessity of measures that limit the fundamental right to the protection of personal data: A 
Toolkit” available here https://edps.europa.eu/sites/default/files/publication/17-06- 

01 necessity toolkit final en.pdf and “Assessing the proportionality of measures that limit the 
fundamental rights to privacy and to the protection of personal data available here 
https://edps.europa.eu/sites/default/files/publication/19-12- 

19 edps proportionality guidelines2 en.pdf 
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Annex A 
Legislative consultation form 


This form should be completed and accompany the legislative measure on which the DPC is being 
consulted pursuant to Article 36(4) GDPR or section 84(12) of the Act, or pursuant to one of the 
specific provisions in the Act that requires consultation with the DPC before making the regulation 
in question. 


It should be reviewed by your Data Protection Officer prior to it being submitted to the DPC. 


The form can be sent to consultation@dataprotection.ie or to your focal point person on the 
supervisory team. 








Your Department 





Title of legislative measure 





Type of legislative measure: 
Primary or Secondary 
legislation and type of 
secondary legislation. Please 
also include the name of 
primary legislation under 
which the measure is to be 
made (if applicable). If the 
measure is intended to give 
effect to a piece of European 
legislation, please also cite 
here. 





The provision in the GDPR or 
in the Act under which you 
are consulting the DPC. 





Drafting timeline of 
legislation and its current 
stage. 





Name and contact details 
for liaison person. 





Name and contact details 
for Data Protection Officer 
(if different from above). 





Have you consulted with 
your Data Protection 
Officer? 











Questions on the legislative measure 
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Provide a summary of the 
proposed legislative 
measure. This should 
include an explanation of 
the issue that the legislation 
seeks to address. 





Please cite the provisions 
that relate to personal data 
processing. 





Please provide details of the 
types of personal data that 
will be processed under the 
legislative measure. 





Does the legislative measure 
propose the processing of 
special categories of 
personal data or Article 10 
GDPR personal data? If so, 
please explain. 





Which group(s) of data 
subjects will the legislative 
measure affect? Please also 
include any vulnerable 
groups such as children. 





If the legislative measure 
relates to the collection of 
personal data, state where 
the personal data will be 
collected from. 





Does the legislative measure 
propose the sharing of 
personal data between data 
controllers? If so, please 
explain. 





Does the legislative measure 
propose to restrict the 
right(s) of data subjects and 
obligations of a controller? 
Please provide details. 





Have any of the processing 
activities been identified as 
high risk? If so, please 
explain. 








Does the processing involve 
the systematic monitoring 
of individuals, involve large 
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scale processing of sensitive 
personal data or Article 10 
data? Please explain. 





Are there any current issues 
of public concern that 
should be considered? 





Is a Data Protection Impact 
Assessment being conducted 
with respect to the 
legislative measure? If not, 
please explain. 





Has there been a public 
consultation with relevant 
stakeholders? If so, please 
provide details. 








Any other information you 
wish to bring to the 
attention of the DPC. 














